This Page Is Inserted by IFW Operations 
and is not a part of the Official Record 

BEST AVAILABLE IMAGES 

Defective images within this document are accurate representations of 
the original documents submitted by the applicant. 

Defects in the images may include (but are not limited to): 

• BLACK BORDERS 

• TEXT CUT OFF AT TOP, BOTTOM OR SIDES 

• FADED TEXT 

• ILLEGIBLE TEXT 

• SKEWED/SLANTED IMAGES 

• COLORED PHOTOS 

• BLACK OR VERY BLACK AND WHITE DARK PHOTOS 

• GRAY SCALE DOCUMENTS 



IMAGES ARE BEST AVAILABLE COPY. 



As rescanning documents will not correct images, 
please do not report the images to the 
Image Problem Mailbox. 



This Page Blank (uspto) 



Europalsches Patentamt 
European Patent Office 
Office europeen des brevets 



iiiiiiiiuuiniiii 

© Publication number: 0 653 716 A1 



© 



EUROPEAN PATENT APPLICATION 



© Application number: 93402682.4 
© Date of filing: 02.11.93 



© Int. CI. 6 : G06F 17/50 



© Date of publication of application: 
17.05.95 Bulletin 95/20 

® Designated Contracting States: 
BE CH DE ES FR GB IT U NL SE 

© Applicant: BULL S.A. 
Tour BULL, 
1, place Carpeaux 
F-92800 Puteaux (FR) 



@ Inventor: Tamisier, Thomas 
22, rue au Pain 

F-78100 Saint Germain en Laye (FR) 



© Representative: Denis, Herve et al 

Direction de la Propriete Intellectuelle BULL 
SA, 

Poste courrien LV59C18, 
68 route de Versailles 
F-78430 Louveciennes (FR) 



© Method of verification of a finite state sequential machine and resulting information support and 
verification tool. 



© The method of computing the reverse image of the transition function A(5, 5 f ) of a product finite state 
machine (PFSM) : A^En-i) from the set of n-1 equivalent states comprises the steps of (a) constructing in a 
canonical way, from the BDD of the graph of the equivalence relation E„-i, the BDD of the graph of a total 
function from S into S, named cross-section and denoted C^n-,), (b) constructing from the cross-section and 
vector S a new vector 5 n ~ 1 = CfE,,-,) o 5, and (c) computing the equivalent pairs of states with respect to the 
vector 6 n ~* to have the pairs of (VxA'^En-O). 
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The invention relates to a method of verification of a finite state sequential machine ad more particularly 
to a method of computing by means of a computer a equivalence relation of a finite state machine. It also 
relates to a information support incorporating a program carrying out the method of the invention and a 
verification tool carrying out the method. 

s The design of very large integration circuits requires zero-defect circuits because prototyping is very 

expensive to debug circuits. Hardware design and verification use an abstract description of a circuit 
realization (hardware device) and a circuit specification (expected behaviour) in the shape of a finite 
automaton, called finite state machine or FSM. The finite state machine is obtained from a description in an 
hardware description language (e.g., VHDL) of the circuit realization or the circuit specification by 

10 abstraction tools. The finite state machine performs the comparison by equivalence or implication of the 
circuit realization with the circuit specification. An example of a finite state machine is described in 
publication (1): Workshop on Automating Verification Method for Finite State Systems. Grenoble, July 1989, 
"Verification of Synchronous Sequential Machines Based on Symbolic Execution", Coudert et al. In a finite 
state machine is used a method of computing equivalence relations, in particular the observable equiv- 

75 alence. A present application of observable equivalence in hardware design and verification is mainly the 
tool called Auto/Autograph as described for example in Proceedings of the DIMACS Workshop on 
Computer-Aided Verification, Vol. 3, DIMACS Series in Discrete Mathematics and Theoretical Computer 
Science, 1990, pages 477-492, Roy et al. "Auto/Autograph". This tool allows a reduction of complexity of 
reachable states from the initial states while minimizing the number of state variables, which results in 

20 hardware design in a reduction of the number of state registers in a circuit. 

In Figure 1 is a block diagram illustrating the operation of a finite state machine FSM. It uses three sets 
and two functions. The three sets comprise a set of inputs, named I, a set of states, named S, and a set of 
outputs, named O, and the functions comprise a transition function 5 of the type I x S S and an output 
function X of the type I x S — O. The three sets I, S and O are finite sets and made of inputs x, states s and 

25 outputs o, respectively. In the machine as illustrated in Figure 1 , the transition function 5 uses the set I of 
inputs as a first input and the set S of states as a second input to provide an output to the set S of states. 
The output faction X uses the set I of inputs as a first input and the set S of states as a second input to 
provide a output to the set O of outputs. The transition faction 5, the output function X and the set of states 
operate as a processing circuit PC. In operation, the machine FSM is initially in a predetermined state and 

30 input sequences from the set I of inputs are successively applied to the two factions. In response to each 
input sequence, the machine computes a state s from the input sequence, the current state and the 
transition faction 5 while computing an output o from the input sequence, the current state ad the output 
faction X and switching into the state s. 

Also, it can be said that the machine FSM produces a sequence of n outputs in response to a sequence 

35 of n inputs. In the following example: 

( s i> s 2 }cS and 6 : (sj, s 2 ) -> s 2 and X : (s h x x ) -» o 2 

( x i> x 2> £ I 8 : (s 2 , x Y ) ->s { X : (s 2 , x x ) -> o 2 

40 o 2 } cO x : (s lf x 2 ) -» 0l 

then the machine FSM produces the sequence "02 02 or from the sequence w xi xi x 2 " when the state is 
si. 

45 The invention relates to the problem of computation of the observable equivalence relation of a machine 

FSM. It will be assumed that the machine has the state s and produces a sequence of m outputs O = (01 , 

.... o m ) in response to a sequence of m inputs X = (xi x m ). The observable equivalence is the 

equivalence for the states with regard to the produced outputs. Two states s and s' are said to be 
equivalent if, from states s and s\ the machine always produces the same output sequence in response to 

50 the same input sequence of any length. Two states s and s' are said to be k-equivalent (where k is an 
integer £ 1 ) if they are equivalent for any sequence of a length £ k. The set of equivalent (respectively k- 
equivalent) state pairs is denoted E (respectively E k ). We assume that for any j £ i the set Ej is included in 
Ej. In other words, if kj : EG Ej C Ej C SxS. 

Furthermore, the invention is concerned with a data structure based on boolean factions. A boolean 

55 faction is of the type f(xi , .... x n ) : {0, 1 } n {0, 1 }. An identity is known between the boolean faction f and 

the set of variables X Q {0, 1} n : X = {(xn x n ) | f(x! x n ) = 1}, so that every set can be represented 

by its characteristic function and both are denoted by the same symbol. Let 4> be a boolean function and 
vi,v 2 , .... v n its variable support. Also, let <£[Vj — 0] be the formula in which the variable Vj is replaced by the 

2 
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constant 0 and O an order on vi. v 2 v n here considered as vi < v 2 < ... < v n . Then a graph currently 

named Shannon's tree of <f> in the ordering O and denoted A(<£>) can be built in compliance with the two 
following rules. First, the tree of constants are the leaves "true 1 * and "false" and, second, the tree has a 
single root labelled by the variable vi. From the root grow two branches, i. e. a branch aiming in the right 

s direction on the tree of <fr [vj «- 0] and a branch aiming in the left direction on the tree of <£[V| <— 1]. Two 
equivalent boolean factions have the same Shannon's tree modulo an ordering on the set of boolean 
variables and the choice of a variable support. From Shannon's tree A(^) a boolean faction is commonly 
represented by Bryant's binary decision diagram currently named BDO of ^ for the ordering O and 
described in publication (2) IEEE Transactions on Computers. C-35(8), August 1986, pages 677-691, R. E. 

70 Bryant: "Graph-Based Algorithms for Boolean Function Manipulation". In brief, as described in this 
publication, a BDD of 4> for the ordering O is obtained from Shannon's tree by application until exhaustion of 
two reduction rules : (1) redundant node elimination and (2) equivalent subgraph share. The BDD is 
obtained regardless of the order of application of the two rules. As a result of redundant node elimination, 
the BDD has a stronger canonicity property than that of Shannon's trees since it does not refer to a variable 

75 support. Two equivalent factions for a predetermined ordering on the set of boolean variables have the 
same BDD. For example, "Vi V vi and ~"v2 V v 2 have the same BDD. 

The transition faction is a vector 5 : {0, 1} n {0, 1} k . It is a vector of k boolean functions 5 = (5i , .... 
5 k ), with 5, : {0, 1} n — {0, 1}. In other words, 5 (xi , .... x„) = pi (xi , .... x fl ), 5 k (xi , .... x„)]. 

More generally, a completely specified finite state machine is a 5-tuple M = (I, O, S, 5, X). The set I = 

20 {0. 1} k is the input space, the set O = {0, 1} 1 is the output space and the set S = {0. 1}" is the state 
space. Each state variable Sj is associated with a boolean faction 5j from S x I to {0, 1} and each output 
variable Oj is associated with a boolean function Xj from S x I to {0. 1 }. The vector 5 = (Sj) is the transition 
faction from S x I to S and the vector X = (Xj) is the output function from S x I to O. The symbols Si , s n 
are used to denote the boolean state variables and xi, .... x k to denote the boolean input variables. The 

25 vector [si ..... s„] is written s as well. In other words. 

I = {0, 1 } k encoded on variables xi . .... x k 
O = {0. 1 Y encoded on variables 01 , .... o t 
S = {0, 1 } n encoded on variables Si , .... s n 

30 8 (Si s n , Xi , .... x k ) : {0, 1} n+k - {0, 1} n = (5i . .... S n ) 

with 5i(s, , s n , Xl x k ) : {0, 1> n+k - {0, 1} 

X (si s„, xi x k ) : {0, 1} n+k - {0. 1} 1 = (X, , ...X t ) 

with X { (si s„, xi x k ) : {0. 1 } n+k - {0, 1 >. 

35 In Figure 2 is illustrated the structure of a product finite state machine referenced PFSM and here-under 
also named product machine. It is an intuitive and sequential object as that illustrated in Figure 1. The 
product machine is similar to that illustrated in Figure 1 in which processing circuit PC is duplicated to have 
a second processing circuit PC connected parallel to first processing circuit PC between set I of inputs and 
set O of outputs. More specifically, the first processing circuit PC comprises a first transition function 5, a 

40 first output faction X and a first set S of states s while the second processing circuit PC comprises a 
second transition function 5', a second output function X' and a second set S* of states s'. The first and 
second transition factions and the first and second output factions are connected to set I of inputs and 
respective sets S, S' of states while the outputs of first and second output factions are connected to set O 
of outputs. 

45 Let s and s' be a pair of states, they are equivalent if the processing circuits having the respective 
states s and s* produce same outputs in response to same inputs. The product machine is used to 
determine whether a pair of states s and s* is made of equivalent states. The determination is made by 

concatenating the machine of Figure 1. Let S = {0. 1} n be encoded by the variables St s„. Let s'i, .... 

s' n be n variables not used in the original machine. We denote the subset of pairs by BDD's on si , .... s„, 

so s't , .... s'„. For each boolean function 5 if the function 5'j is obtained by substituting the variables s'i , .... s' n 

for the variables si s„, respectively. Similarly, for each boolean function X|, the function X'i is obtained by 

substituting the variables s'i s' n for the variables si, .... s„. respectively. Then, 

SMs'i S' n . Xi X k ) = Si ([Si — S'i] [S n — S' n ]) 

55 X' ( (S'i S'n, Xi X k ) = Xj ([Si <- S'i ] [S n S' n ]) 

The transition function of the product machine is denoted A = (5i 5 ni 5*i , .... 5' n ) and A (Si , .... s nt s'i , .... 

s' n . xi x k ) : {0, i}"+" +k - {0, 1} n+n 
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The output function of the product machine is denoted A = (Xi \ t , X'i , .... \\) and A(si s n , s'i , .... 

s' n , xi Xk ):{0 f 1} n+n+k -{0, 

Thus, the product machine is a 5-tuple M' = (I, [O x 0] f [S x S], A, A). 

As other well known definitions, let 5 be a boolean faction and x a variable, the following notations are 
5 used: 

Vx5 = a(x - 0) A 5(x<- 1) 
3x5 = 5(x — 0) V 5(x «- 1) 

io in which x can be a vector of boolean variables. 

Also, let 5 be a boolean function 5 : {0, 1}"— {0, 1} k and P Q {0, 1} k then the reverse image is 5~ 1 (P) £ {0, 
1}" = {(x 1 ....,x n )|S<xi x n )eP} 

Once the product machine is constructed, each state in the product machine actually represents a pair of 

states s, s' for the machine. The goal is to compute the BDD on the variables Si s n , s'i , .... s'n, of the 

75 equivalent state pairs in which the first component is encoded on the variables Si , .... s n and the second 
component is encoded on the variables s*i , .... s' n . In the prior art, an algorithm is used to get the equivalent 
state pairs. This algorithm consists in successively constructing the BDD's of the sets Ej until the fixpoint is 
reached. The fixpoint of a function f is the element x : f(x) = x. Here the fixpoint is reached when E n = 
E n+1 = E and is obtained by computing the Ej suite as follows: 

20 

E^s, s') = VxA(Aj(s, x) o X)(s\ x)) 

25 

E„ = E, A (Vx(A _1 (E n _ 1 )) 

This computation is based on a good variable ordering for the BDD's of the sets Ej, which must be 
compatible with the relation corroborated by the experimentation : 

30 

{Si , S*1 } < {S 2l S f 2 } < < {S n , S^} 

intuitively, such an ordering makes the most of the two following facts : the sets Ej are graphs of 
equivalence relations and the original ordering of the sate space is Si < s 2 < ... < s n . 

35 The computation of the set Ei requires only boolean operations on BDD's, that are quadratic 

operations, and an elimination of variables. Experimental tests stipulate that the construction of set Ei is 
generally performed at a low cost when the above variable ordering is chosen. To compute the set E n from 
E„_i, we have to calculate the reverse image of E n -T by vector A and to perform a universal elimination of 
the input variables. The reverse image computation can be performed using several methods. One involves 

40 the construction of the graph of the transition faction, but this graph cannot be built for very large machines 
FSM. Another method (called substitution method) consists in replacing each of variables Si , s'i , Sj, s'j, 
... by the corresponding 5i, S'i, 5j, 5'j, ... There exist some implementations that perform simultaneously 
this substitution ad elimination of the input variables. An example of this prior method is described in the 
above-cited publication (1). 

45 The computation of reverse image by the substitution method is made by an algorithm having a 

exponential complexity. Moreover, the vector A comprises 2n functions (5, 5*) and the reverse image is 
computed from the set E n -T having 2n boolean variables. Thus the computation of A~ 1 (E n ) is a long time 
consuming step and requires a large memory space. 

The present invention relates to a new method of computing A -1 (En), which corresponds to a new 

so computation of the fixpoint reached when E n = E n+1 = E. It overcomes the drawbacks of the prior art in 
allowing computation in a short time using a substantially less large memory space. 

More generally, the invention provides a method of verification of a finite state sequential machine, 
comprising computing by means of a computer a set Y defined from two finite sets B and S encoded on 
boolean variables, a function 5 : B — S expressed by a vector of boolean functions, and a equivalence 

55 relation A on S, the set B being encoded on variables s = si , .... s n and x = Xi x k , in which x can be 

void, and Q Xj designating either 3x f or VXj, so that: 

Y = {(s, s') e (3xi 3x k B) 2 | Qxi Qx k [(5(s, x), 5(s\ x)) e A]}, 
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characterized in that the computation of set Y comprises the steps of (a) constructing in a canonical way, 
from the BDD of the graph of the equivalence relation A, the BDD of the graph of a total faction from S x S, 
named cross-section and denoted C(A) f (b) constructing from the cross-section and the vector 5 a new 

s vector denoted 6* = C(A) o 5, and (c) computing the pairs (s f s') such that Qx1 , ...Qxk .(S*(s, x) = 5(s\ x)). 

More particularly, the method is used to compute a equivalence relation E of a finite state machine 
(FSM), the equivalence relation E being defined as the fixpoint of a monotonic suite Ei , .... E n = E, the 
computation of the equivalence relation E being made by successively construct the set E„ by use of the 
reverse image of the set E n -t defined in terms of said set Y. 

io One result is an information support incorporating a computer program carrying out the method of the 
invention. 

A second result is a tool of verification of a finite state sequential machine carrying out the method of 
the invention. 

The objects and advantages of the invention will become clearly apparent from the following description 
75 of a preferred embodiment of the invention referring to the appended drawings. In the drawings : 
Figure 1 is a block diagram of a finite state machine, and 
Figure 2 is a block diagram of a product finite state machine. 
The underlying idea of the present invention is based on the fact that the set A~ 1 (E n ) is the graph of an 
equivalence relation on S x S. To obtain set Ei , all the pairs of states having the same image by 5 are to be 
20 found. To find them, the invention is directed to find from the set E n -i a vector 0 having the following 



[6(s) = fi(s')] & [(s, s') e A- 1 (E n -i)l 

25 With the vector 0 can be constructed A~ 1 (E„) in the same manner as set Ei is built from output function X. 

The present invention relates to a method of computing the reverse image of the transition function of a 
product finite state machine from the set of n-1 equivalent states, that is a method of computing A~ t (E„_ 1 ), 
comprising the steps of: 

(a) constructing in a canonical way, from the BDD of the graph of the relation E n - 1( the BDD of the graph 
30 of a total function from SxS, named cross-section and denoted C(E n _ 1 ), and 

(b) constructing from the cross-section and the vector 5 a new vector denoted 5 n ~ 1 = CJEn-!) o s. It will 
be shown that the new vector has the desired properties of the above vector $. Thus this vector is 
obtained by a modification of the transition function 5 with the help of the set C^n^). Although the 
reverse image computation algorithm is used, the sets whose reverse image is now computed are 

35 subsets of S (encoded by the variables si, S2, .... s n ) instead of the set En-! of state pairs (encoded by 

the variables si , s 2 s„. s'i , s' 2 s' n ) as in the prior method. 

Then the method of the invention can comprise a third step (c) of computing the equivalent pairs of 
states with respect to the vector a"" 1 . These pairs are exactly the elements of (VxfA'^En-,)). However, it is 
clear that the third step can be used to compute any existential or universal elimination of the variables in 
40 computing the reverse image by use of the method of the invention. In other words, instead of the step (c) 
used to compute the elements of (yx(A~*(E n -i)) an alternative third step (c 1 ) can be used to compute the 
elements of (axfA'^E,,-!)). 

The canonical cross-section C(E n _ 1 ) defined in step (a) can be computed by using various methods. 
Here is presented a canonical way to obtain a graph of a function C(R) from a graph of a relation R. The 
45 function C(R) is called the cross-section of the relation R. The definition that will be given is a particular 
case of a method introduced in publication (3) Research Report. University of California, Berkeley, 1992, B. 
Lin and A. Richard Newton : "Implicit Manipulation of Equivalence Classes Using Binary Decision 
Diagrams", known under the name of compatible projection. 

It will be assumed that all the elements of a set {0, 1} n are ordered by the increasing order of integers. 
so For instance, the element (0, 0, 1) represented by ( "si A ^s 2 A ... A^Sn-t A s n ) is the predecessor of 
(0, 0 .... 1, 0) represented by f Si A ^s 2 A ... A s n -i A ^s n ). 

Definition 1 : Let B and C be two sets and 4> a relation from B into C and let £ be a total order on C, 
then the cross-section of <J> is the partial function C(4>) defined as : 



property: 



55 



C((p) : I B -> C 

I x i-» min({y|(x, y) e cp}) 
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To compute the cross-section of relation E n _ 1f the variables of the codomain are si , s n and the variables 
for the domain are s'i, .... s'„. From the BDD of E n _ t can be recursively constructed the BDD of C'E^) 
applying the following transformation that remove from the BDD of E n _i the pairs that are not in CfEn-t), 
which is the following algorithm 1 . 

CrossSection(bdd) { 

if ((bdd = = true) || (bdd = = false)) 
return(bdd); 

if (bdd = = [s^ left, right] ) 
return( [ Si , C(left), C(right)] ); 



IS 



if (bdd = = [s' i3 left, right] ) { 
aux = -.3s' 1 , s' n (left); 
20 return( [s'j, C(left), C(right) a aux] ); 



} 

} 

This construction can be performed by a unique traversal of the graph of E n _ 1( provided intermediate 
30 results are stored in the graph nodes. 

Then, according to the second step (b) of the method of the invention, the composition C^En-,) o 8 
denoted is to be constructed. The construction could be made by using different methods. The 
following example is a method proceeding by separately modifying each of the original function 5j of 5 using 
the BDD of C(E n _,). 

35 The function 5 is given as a vector of boolean functions (5i , .... 5 n ) and the 5j are on the state variables Sj 

and the input variables x*. The vector 5"" 1 = 5i n "\ .... 5 n n_1 ) is built on the same variables, and we must 
have 5"" 1 (s, x) = CfE,,-!) 5 (s, x). Since En-, is an equivalence relation, it is trivial to verify that CfEn-i) is a 
function defined everywhere. Consequently, the composition 5 n ~ 1 is defined everywhere, as 5 is. 

Let s be in S and K, (s) denote the value of the component Sj of s. For example, K3< [0, 1, 1, 0] ) is 

40 1. The function 5j n_t can be defined by the following equation, for j = 1 to n: 

«i n_1 (s.x) = Kj .,[C(E n -,)(a<s. x»] 

Let us consider the BDD G of the graph of cross-section C(E n _ 1 ). For j from 1 to n we construct the set 

45 

D| = (3s'C(Sj s f j) A G) 

Dj £ S includes all the states s such that Kj (s) * Kj (G). The 5j n " 1 are obtained using the following theorem. 
Theorem 1 : Let F be the vector C(E n -!), then F o 5 = S n ~ 1 = (5i n ~\ .... 5 n n_1 ) can be defined as 

so 

^Pj^a- 1 (Dj)) 

As a proof, it is checked that 5j n_1 (s, x) = Kj [F(5(s, x))] by cases, depending on the values of Kj (5(s, x)) 
and Kj [F(5(s, x))] : 

55 

Kj (5(s, x)) = 0 and Kj [F(5(s, x))] = 0. Since 5(s, x) is not in Dj and (s, x) is not in 5 _1 (Dj) and since (s, x) is 
not in 5, 5j n-1 ( s ' *) = 0. 

Kj (5(s, x)) = 0 and Kj [F(5(s, x))] = 1. Since 5(s, x) is in Dj and (s, x) is not in 5~ 1 (Dj) and since 5 (s, x) = 0 
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we have 6j B ~ 1 (s, x) = 1. 

Kj (a(s, x)) = 1 and K, [F(5(s, x))] = 0. Since 5(s, x) is in Dj and (s, x) is in 6~ 1 (Dj) and since (s, x) is in 5 (s, 
x) = 0. 5j n ~ 1 (s. x) = 0. 

Kj (5(s. x)) = 1 and Kj [F(5(s, x))] = 1 . Since 5(s, x) is not in Dj and (s, x) is not in 5" 1 (Dj) and since (s, x) is 
5 in «, V^s, x) = 0. 

The correctness of the composition will now be shown. It must be checked that the following equation 
holds: 

10 [<s f s') e Vx(A-ME„-i»] Vx(5"" 1 (s) = 5"- 1 <s')) 

Proposition 1 : If $ is a transitive and symmetrical relation from B into B defined anywhere, then 
Vx, y« C(*)(x) = C(<M<y)) O ((x ( y) e <t>)) 

15 

Proof: 

Let t = C($)(x). By definition, two pairs (x, t) and (y t t) are in <t>. By symmetry, (t, y) is in Thus, by 
transitivity, (x, y) is in <£. 

Suppose that C(<f>)(x) < C(<f>)(y) and that (x. y) e <f>. By symmetry, (x, y) is in <t>. By transitivity, (yC(<f>)(x)) 
20 is in 4>. Now, (yC(£)(x)) e 4> is inconsistent with the assumption C(^)(y) < C(<£)(x). 

Theorem 2 : The composition C(E„-i) o 8 verifies the property of the equation to be shown,. 
The statement results from Proposition 1 . 

Vx e I [F(S(s, x)) = F(S(s\ x))] 
25 4» Vx e I [(5(s, x), 8(s\ x)) e E n -i] from Proposition 1 
& vx e I [(5(s. s\ x)) e E„-i] from definition of 8 

(s, s f ) e (VxfA'^En-!)) from a V-elimination of input variables 

Thus, a new algorithm allows to compute the set E n from En-,. The BDD is the graph of an equivalence 

30 relation on S x S. The set E n -i is built on boolean variables Si , S2 s n , s'i, s*2. .... s' n where S| encodes 

the first component of pairs of S x S. the s'i encoding the second component of pairs of S x S. First, the 
BDD of the graph of the canonical application of tins equivalence relation is built and named C(E n -i). C- 

(En-t) is built on the boolean variables si, S2, .... s„, s'i, s f 2 s'„, in which the s ( encode the first 

component of pairs of S x S and the s'i encode the second component. 
35 Let ^ be a function of the type S x S having a graph C(E„- 1 ). From the BDD of CfEn-j) and transition 

function 8 is computed vector 5"" 1 in accordance with the method of the invention. The vector 5 n ~ 1 is built 
by renaming the variables s into s\ Then is computed the set Vx(5 n_1 & 5' n ~ 1 ). The set E n is the 
intersection of this latter set built on the variables si , s 2 . .... s n , sS, s'2. .... s' n and set El Thus, the set Vx- 
(A" 1 (F n -i) is built from 5 n_1 in the same manner as E1 is constructed from A. Finally, the set E n is equal to 
40 (Vx(A- 1 (E n -,)AEi). 

The following second algorithm is given for the iterative step. This algorithm takes as input the BDD of 
En-t and the list of variables (s'1 , s*2. . .. s' n ) used for a copy of state variables and for the range of cross- 
section C^En-!). The returned result is the BDD of (En-,). Both E n and E n _i have variable support Si, S2, 
s„, s'i , S2 s f n . The algorithm 2 is : 

45 
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IterativeStep(E, s') { 

proj = CrossSection(E, s'); 
s for(j<n){ 

dif = 3s*((-.Sj -o s'j) a proj); 
ant =5- 1 .(dif); 
case (j) { 

10 

0){ 

newj = 8\ <=> -iant; 
new^ = new i [s <- s']; 
' 5 break; 



[...] 



25 



30 



35 



40 



(n){ 

new n = 5 n o -iant; 
ncW n = new n [s <— s']; 
break; 

} 

pred = VxA(newj <=> newj); 

Enew = E I A P red ; 
returaCEnew); 



} 



45 



Comparison have been made between the algorithm of the present invention and the implementation of 
the prior art algorithm. The method of the invention enables less space complexity due the simplification of 
reverse image computation and generally allows better results in time. The following table shows the 
features of the testing models : circuit name of the ISCAS89 - benchmarks -, number of variables 
(successively: inputs; outputs; states), number of vertices of all BDD's, number of equivalence classes and 
number of steps required for computation. 



so 



55 



circuit name 


variables 


vertices 


equivalence classes 


steps 


s344 


9 ; 11 ; 15 


164 


18608 


5 


S1488 


8 ; 19 ; 6 


476 


49 


2 


s298 


3 ; 6 ; 14 


117 


8061 


16 


S382 


3 ; 6 ; 21 


174 


608448 


93 
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The following table show the results from the method of the invention compared with the prior method. 
CPU times are reported in seconds on an IBM RS-6000 Workstation. 



5 



circuit name 


CPU time 


memory 


invention 


prior art 


invention 


prior art 


s344 


1.9 


21.0 


0.9 


2.2 


S1488 


1.0 


12.7 


0.6 


1.7 


s298 


8.5 


286.4 


1.6 


7.5 


s382 


480.6 


2608.4 


3.7 


10.6 



The vertices created for computation appear from the following table. 



75 



20 



circuit name 


vertices 


invention 


prior art 


S344 


27127 


110314 


S510 


16358 


64387 


S1488 


15935 


97622 


S298 


78210 


1372970 


S382 


2600773 


>3500000 



25 The method of the invention can be modified by a man skilled in the art to have a plurality of various 
embodiments. For example, a BDO can have several embodiments, in particular the so-called TDG (Typed 
Decision Graph) described for example in the book The Fusion between Hardware Design and Verification, 
G. Milne as publisher, North-Holland, part entitled "Original Concepts of PRIAM, An Industrial Tool for 
Efficient Formal Verification of Combinational Circuits". Any form of BDD can be used by the present 

30 invention. Furthermore, although the ordering of ail the BDD's is assumed to be : si < s'i < s 2 < ... < s n < 
s' n . another ordering can be used and the method can be modified accordingly. Also, although the 
description of the above embodiment of the invention has been directed to compute the set vx(A~ l (E n - 1 ), it 
has been shown that the invention can be extended to any quantification of each variable of x. 

Also, although the method of the invention is a solution to a problem raised by a finite state machine 

35 applied to hardware design and verification, it can be extended to be a method of verification of a sequential 
machine having finite states, since a finite state machine is software sequential machine. For example, the 
method can be used for protocol verification, control interface verification and more generally for the 
verification of software program portions having finite states. Also, it is clear that the invention can be 
applied for verification of a hardware sequential machine such as a sequencer and an automated machine 

40 having finite states. The meaning of word "verification" includes that of test which is to verify whether 
required conditions are satisfied. 

Furthermore, although the above preferred embodiment shows that the method of the present invention 
uses an iterative computation from E n _ 1f it is obvious that the present invention can be used without 
iterative computation and for any quantification of each variable. 

45 As a result, the method of the invention can be defined as a method of verification of a finite state 
sequential machine, comprising computing by means of a data processing machine a set Y defined from 
two finite sets B and S encoded on boolean variables, a function 5 : B — S expressed by a vector of 

boolean functions and an equivalence relation A on S, the set B being encoded on variables s = si s n 

and x = xi , ... t x k , in which x can be void, and Qxt designating either 3x f or Vxi.so that: 

50 

Y = {(s, s') e (3xi ax k Bf | Qx, Qx k [<5(s, x). S(s\ x)) e A]}, 

characterized in that the computation of set Y comprises the steps of (a) constructing in a canonical way, 
from the BDD of the graph of the equivalence relation A, the BDD of the graph of a total function from S x 
55 S, named cross-section ad denoted C(A), (b) constructing from the cross-section and the vector 5 a new 
vector denoted 6* = C(A) o s, and (c) computing the pairs (s. s') such that Qx1, ...Qxk ,(5"(s, x) = 5(s\ x)). In 
this definition, the sets B and S are any sets which can be different from the above sets B and S, the 
variables s and x are any variables which can be different form the above variables s and x, the equivalence 



9 




EP 0 653 716 A1 



relation A is any equivalence relation and the function S can be another function than the transition function 
of a FSM. Since no iterative computation is made, the vector 5* is used in lieu of 5 n_1 in the iterative 
computation of the above embodiment. The equation for computation of Y is the algorithm of computation of 
a reverse image. Accordingly, the connection of this general definition with the method as described in the 

s above embodiment can be made in defining the latter as a method used to compute an equivalence relation 
(E) of a finite state machine FSM, the equivalence relation (E) being defined as the fixpoint of a monotonic 
suite Ei f E„ = E, the computation of the equivalence relation (E) being made by successively 
constructing the set E n by use of the reverse image of E n _i defined in terms of said set Y. 

In the above description of the preferred embodiment has been shown that the canonical cross-section 

10 used in the above step (a) can be computed from the compatible projection using the following definition : 
let B and C be two sets and 4> a relation from B into C ad let £ be a total order on C, then the cross-section 
of <$> is the partial function C(4>) defined as : 

is C(q>) : I B -» C 

I x H> min({y|(x, y) e <p}). 

In this definition is assumed that the increasing ordering of the variables. Another ordering and definition 
20 could be used. For example, another ordering can be used in replacing in the above definition "let £ be a 
total order on C" by "let < be a total strict order on C. Also, a computation from another method than the 
compatible projection can be used. 

From theorem 1 in the preferred embodiment can also be shown that in step (b) in the general 
definition of the present invention the vector 5* is built from vector 5 ad graph C(A), this graph being 
25 encoded on said variable s = si , .... s n for the domain and on a variable s* = s*i , .... s* n for the codomain, 
while 5* is built by using the sets Dj = as'ftSj ^s'j) A C(A)) and performing the reverse image computation 
uniquely for the sets Dj. The word "uniquely" is a consequence of the present invention. 

The method can be carried out by a computer program of an information support such as a magnetic 
tape or disk and by a verification tool. 

30 

Claims 

1- Method of verification of a finite state sequential machine, comprising computing by means of a data 
processing machine a set Y defined from two finite sets B and S encoded on boolean variables, a 
35 function 8 : B -+ S expressed by a vector of boolean functions, and an equivalence relation A on S, the 

set B being encoded on variables s = Si s n and x = xi x k , in which x can be void, and Qxj 

designating either 3Xj or vxj, so that : 

Y = {(s, s f ) e (3xi , 3x k B) 2 I Qxi Qx k [(5(s. x ), 5(s', x)) e A]}, 

40 

characterized in that the computation of set Y comprises the steps of (a) constructing in a canonical 
way, from the BDD of the graph of the equivalence relation A, the BDD of the graph of a total function 
from S x S, named cross-section and denoted C(A), (b) constructing from the cross-section ad the 
vector 5 a new vector denoted 5* = C(A) o 5, and (c) computing the pairs (s f s') such that Qx1, ...Qxk .- 
45 (5*(s. x) = 5(s\ x)). 

2. Method according to claim 1 , characterized in that it is used to compute an equivalence relation E of a 
finite state machine (FSM), the equivalence relation E being defined as the fixpoint of a monotonic suite 
E1 , .... E n = E, the computation of the equivalence relation E being made by successively constructing 

50 the set E„ by use of the reverse image of the set E n _! defined in terms of said set Y and corresponding 

to A" 1 (En-,). 

3. Method according to claim 1 or 2, characterized in that said step (a) is computed from the compatible 
projection in which is used the following definition : let B and C be two sets and <f> a relation from B into 

55 C and let < be a total strict order on C, then the cross-section of <j> is the partial function C(4>) defined 

as : 



10 



EP 0 653 716 A1 



C(<p) : I B -> C 

I xh^min({y|(x,y)e<p}). 



Method according to claim 1 or 2, characterized in that said step (a) is computed from the compatible 
projection in which is used the following definition: let B and C be two sets and 4> a relation from B into 
C and let £ be a total order on C f then the cross-section of is the partial function C(<£) defined as: 

C(<p) : | B-»C 

I xi-»min({y|(x,y) e <p}) 

and the order is selected to be a successive increasing order. 

Method according to anyone of claims 1 to 4, characterized in that in the step (b) the vector 5* is built 
from the vector 5 and the graph C(A), this graph being encoded on said variable s = Si , .... s n for the 
domain and on a variable s* = s'i , .... s' n for the codomain, and 5* is also built by using the sets Dj = 
3s , r'(Sj s f j) A C(A)) and performing the reverse image computation uniquely for the sets Dj. 

Method according to anyone of claims 2 to 5, characterized in that said step (b) comprises constructing 
from said cross-section and said vector 6 a new vector 5 n ~ 1 = C(E„_ 1 ) o 5. 

Method according to claim 6, characterized in that it further comprises a step (c) of computing the 
equivalent pairs of states with respect to the vector 5 n ~ 1 to have the pairs of (VxA~ 1 (E„_ 1 )). 

Information support incorporating a computer program, characterized in that the program carries out the 
method defined by anyone of claims 1 to 7. 

Tool of verification of a finite state sequential machine, characterized in that it carries out the method 
defined in anyone of claims 1 to 7 or the information support of claim 8. 
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